To import your data from Black Duck to the Application Security Module you will need to use the BlackDuck Connector under the Open Source section of the Cisco Vulnerability Management UI. There are two different BlackDuck Connectors: the API Connector and the JSON Connector. To learn about the differences between API and File-based connectors, see the help page here.
Cisco recommends the Black Duck Hub API Connector for ease of use. The connector is a full-run connector, and does not currently support incremental runs. The two connectors function similarly, however the JSON connector is just a file based connector, meaning it will not auto-pull information from BlackDuck.
Prerequisites
-
BlackDuck deployments are on-premises you will need one of the following:
-
Virtual Tunnel
-
Agent
-
-
Must have access to the BlackDuck API for the API Connector. See the Determine Appropriate Access
Determine Appropriate Access
Create an access user with the appropriate level of access to projects that you want imported into Cisco Vulnerability Management.
1. As an Administrator, in the UI go to the “hamburger menu” in the top-left corner and selection Administration → User Management → Create User.
2. Do one of the following:
If you want the Cisco Vulnerability Management to have access to all of your projects' vulnerabilities, grant the new BlackDuck user the Global Project Viewer role.
If you want Cisco Vulnerability Management to have access to the vulnerabilities of only certain projects, then click Add Project and in the Project field, begin to type the name of each project that you would like this user to have visibility to. Auto complete suggestions will be provided matching available projects. You can enter multiple project names in this field.
Configuring your Connector in Cisco Vulnerability Management
1. In the Cisco Vulnerability Management UI, click Connectors.
2. Click Add Connector.
3. In the Open Source section, click BlackDuck Hub.
4. On the Back Duck Hub screen, enter the following information:
-
Name: Enter a name for the connector, or leave it as Black Duck Hub.
-
Enter the Username and Password for the account you want to use.
-
Host:
If your host is static, enter the IP address and the port number.
If your host is dynamic, enter the DNS and port number. -
Schedule: Select the frequency that you’d like your Connector to run. (Cisco recommends mirroring the cadence of your BlackDuckscans).
-
If your deployment is on-premises, you must select either the Use Virtual Tunnel or Use Agent checkbox, which will display below the Asset Inactivity Limit field, depending on which of those you have deployed in your environment.
-
Asset Inactivity Limit: Enter a time in days for the connector level asset inactivity limit. Cisco recommends 2-3 times the scan cadence of your connector scans.
Using Reports
When extracting data from BlackDuck to import into Cisco Vulnerability Management, you have three report options: Vulnerability Status, Vulnerability Remediation, and Vulnerability Update. The file format required for your connector is Vulnerability Status.
Exporting Reports
When using the JSON Connector (File Based), you will need to export a report.
-
Log in to BlackDuck as the user you created above with the appropriate level of Report access.
-
Go to the “hamburger menu” in the top-left corner of the UI and select Reports.
-
Select Create New Report
-
Choose Report Type: Vulnerability Status Report
-
Choose Report Format: HTML
-
-
Wait for the Report to be processed.
-
Once available, click on the report to view it in your browser
-
From your browser’s File menu, choose Save As. Alternatively, you can press CTRL + s on your keyboard (Command + s on Mac).
-
To successfully export a JSON file using the UI, you must adjust the name of the report being saved. Instead of Black Duck.htm, change the file extension to end in .json.htm as seen in this screenshot:
-
Log into Cisco Vulnerability Management and go to Connectors
-
If you do not already have a BlackDuck JSON Connector, create one.
-
Upload the file from Step 7 by dragging it to your BlackDuck JSON Connector in Cisco Vulnerability Management.
What BlackDuck Items does Cisco Vulnerability Management Import?
BlackDuck Field |
Cisco Vulnerability Management Field |
Notes |
---|---|---|
versionSummary > projectName |
Application Identifier |
Search for application_identifer in Cisco Vulnerability Management by using the custom query box and typing application:"" |
versionSummary > project.identifier |
Asset External_id |
|
Any of the following: 'Patched' OR 'Duplicate' OR 'Ignored' OR 'Mitigated' OR ‘Remediation_Complete’ |
vulnerability Status = Closed |
We do not map false positives or triage states. If an item has any of the statuses in column A, Cisco Vulnerability Management will mark the vulnerability Closed. |
absence of status= ('Patched' OR 'Duplicate' OR 'Ignored' OR 'Mitigated' OR ‘Remediation_Complete’) |
vulnerability Status = Open |
|
doc.score |
scanner_score |
Range: 1-10 Informational - 0 Low - 3 Medium - 6 High - 9 |
Vulnerability Title / Name |
|
|
Black Duck Security Advisory |
BDSA-##### |
Any Black Duck security advisories that are not correlated with CVEs, CWEs, or WASC-IDs will be imported as unique BDSAs. |
cwe_id |
CWE |
|
wasc_id |
WASC-ID |
|
cve_id |
CVE Raw Data |
|
report.generated_at |
Found On |
Black Duck does not pass timestamps in the report, thus Cisco Vulnerability Management generates a “report Generated at” timestamp for every connector run. Any data that is seen for the first time is Found On the earliest date-time referenced. |
report.generated_at |
last_seen_time & |
Black Duck does not pass timestamps in the report, thus Cisco Vulnerability Management generates a “report Generated at” timestamp for every connector run. Any data that is seen in our most recent report will be updated with their last_seen information. |
doc.description |
Description |
|
After the Black Duck reports are pulled, Cisco Vulnerability Management generates a master document. Any item that is mapped from doc. refers to that master document. This doesn’t necessarily represent the field name in Black Duck.
Optional Settings
The following settings can be enabled on the backend for BlackDuck Hub Connectors. To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer.
Exclude Informationals
When you enable this option, Cisco Vulnerability Management will only import vulnerabilities that include a CVE, CWE, or WASC ID.
Ignore Scanner Last Seen Time
Select this setting if you do not want the asset last seen time in Cisco Vulnerability Management to be the scanner reported last seen time.
Custom Ordered Locators
Locators (such as IP, Netbios, and FQDN) can be reordered to better deduplicate vulnerabilities on the Connector level or the entire Platform level. For more information, see the help article here.
Common Reasons for BlackDuck Hub Connector Run Failures
- Bad Credentials. If you enter the incorrect connector credentials during the connector setup, Cisco Vulnerability Management will not have access to the environment to make the API calls.
- If no reports are found, Cisco Vulnerability Management will abort the Connector run, rather than fail it outright.
- If an API call fails (no data available, or other reasons).
- If Cisco Vulnerability Management receives data that is not in the expected format and cannot process it, the connector will fail.
- If more than 1% of connector payloads fail to import cleanly, Cisco Vulnerability Management will auto-fail the Connector run.
Additional Assistance
Contact Support if you require any additional assistance with the BlackDuck Hub Connector.
Comments
Please sign in to leave a comment.